By using AWS re:Post, you agree to the Terms of Use

Using Session Manager to connect RDS without having EC2 instance

0

When I go through the documents, using session manager we can connect instance in private subnet without having bastion host itself [direct port forwarding from local to private ec2].

But in RDS case, even though we are making connection using session manager we need a EC2 instance in between local and private RDS.

Could you anyone explain me why it is like that? please share some document that explains that as well.

1 Answer
1
Accepted Answer

Hi Vignesh, though we sometimes do document what is not possible, I'm not aware of a document that would explain why you cannot connect directly to RDS using SSM. So let me resort to a more generic answer:

SSM allows many more functions - and changes! - to an instance than just connecting to it. Having full SSM functionality on an RDS instance thus would undermine the Shared Responsibility Model we use for RDS (you could also say: it would violate the "Black Box" principle of RDS). Therefore, you need an intermediary instance that forwards the TCP Port exposed by RDS to your local machine.

Further reading:

If this helped you, kindly mark my answer as "accepted". Kind regards, Uwe

profile picture
answered a month ago
  • Thank you for your response. Could you please briefly tell me about the "Black Box" principle of RDS? @Uwe

  • Though "Black Box" is not official AWS wording, I used it to describe the fact that RDS as a managed system isn't as open to connect to or apply changes (e.g. OS Kernel settings) as a custom install on EC2 would be. It's because of the responsibility AWS takes for RDS's availability and security that some functionality you'd have on a self-managed database server isn't available to you on RDS. Or, in other words: you get a certain service, but the way this service is configured and managed isn't published in detail (and may be changing over time). HTH, Uwe

  • Thanks, @Uwe. That's a great explanation. Much appreciated

  • @Uwe I have another question related to this connecting from the docker container. Please share if you have any docs any ideas https://repost.aws/questions/QUGuUewImyTiabU7R946zD9w/from-docker-container-need-to-connect-rds-using-session-manager

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions